b'                                                                 UNITED STATES DEPARTMENT OF COMMERCE\n                                                                 Office of Inspector General\n                                                                 Washington, D.C. 20230\n\n\n\n\nOctober 14, 2014\n\nMEMORANDUM FOR:                      Ellen Herbst\n                                     Chief Financial Officer and Assistant Secretary for Administration\n\n\n\n                                                                                                        \xc2\xad\n                                     Steve Cooper\n\n                                     Chief lnformatio~                       C.cu,_fl,,,~\nFROM:                                Allen Crawley                                     -       ~\n                                     Assistant Inspector General for Systems Acquisition\n                                       and IT Security\n\nSUBJECT:                             Audit of the Department\'s Cloud Computing Efforts Identified\n                                      Contractual Deficiencies-Final Memorandum OIG-15-001-M\n\nThe Council of Inspectors General on Integrity and Efficiency (CIGIE) initiated a government\xc2\xad\nwide review to evaluate federal agencies\' efforts to adopt cloud computing technologies. The\nreview focused on determining whether contracts that agencies have issued for cloud services\ncomply with applicable standards. This memorandum provides our findings and\nrecommendations regarding the OIG\'s cloud computing audit conducted while participating in\nCIGIE\'s government-wide review.\n\nBackground\n\nCIGIE was statutorily established as an independent entity within the executive branch by the\nInspector General Reform Act of 2008 1 to\n       \xe2\x80\xa2 \t address integrity, economy, and effectiveness issues that transcend individual\n           government agencies; and\n\n       \xe2\x80\xa2 \t increase the professionalism and effectiveness of personnel by developing policies,\n           standards, and approaches to aid in the establishment of a well-trained and highly skilled\n           workforce in the offices of inspector general.\n\nIn November 2013, CIGIE requested that agencies\' Offices of Inspectors General participate in\na government-wide review of the use of cloud services. Inspectors General for 20 departments\nand agencies opted to participate in the CIGIE review. The review involved evaluating cloud\nservice contracts for compliance with applicable contract standards and determining the\nagencies\' cloud service providers\' (CSPs\') Federal Risk and Authorization Management Program\n(FedRAMP2) status. The memorandum 3 issued by the Federal Chief Information Officer on\n\n1\n    The Inspector General Reform Act of 2008, P.L. I I0-409 \n\n2\n FedRAMP is a government-wide program that provides a standardized approach to security assessment, \n\nauthorization, and continuous monitoring for cloud products and services. \n\n\x0cDecember 8, 20 I I, required that all implemented cloud services must meet Fed RAMP security\nauthorization requirements by June 5, 2014.\n\nObjectives, Findings, and Recommendations\n\nOur audit objectives were to evaluate the Department\'s efforts to adopt cloud computing\ntechnologies and to review executed contracts between the Department\'s bureaus and CSPs\nfor compliance with applicable standards. We reviewed a selection of cloud service contracts\ninitiated between Departmental bureaus and their selected CSPs to determine if applicable\ncontracting language and clauses were included. Our selection consisted of contracts with the\nCensus Bureau\'s CSPs Akamai and GovDelivery, National Institute of Standards and\nTechnology\'s (NIST\'s) CSPs Microsoft and ServiceNow, and National Oceanic and Atmospheric\nAdministration\'s (NOAA\'s) CSPs Google, Inc. and Fiberlink. See appendix A for further details\nregarding our objectives, scope, and methodology. See table B-1, in appendix B, for the dollar\nvalue and duration for each of the selected contracts.\n\nIn the course of our audit, we found that (I) there were deficiencies in the contracts we\nreviewed and (2) cloud services did not comply with FedRAMP security authorization\nrequirements.\n\n     I.      Cloud-Computing Contracts Are Missing Required Clauses\n\n       While the contracts and associated documents such as service level agreements, non\xc2\xad\n       disclosure agreements, and terms of service generally include the required language, we\n       noted several deficiencies (see table B-2, in appendix B, for detailed findings). Specifically, we\n       found:\n          \xe2\x80\xa2 \t Four of six contracts did not contain the Commerce Acquisition Regulation (CAR)4\n              clause (CAR 1352.239-72) that allows OIG access to the contractor\'s facilities,\n              installations, operations, documentation, databases, and personnel used in performance\n              of the contract in order to carry out an inspection, investigation, audit, or other review.\n       \xe2\x80\xa2 \t One of six contracts did not contain the Federal Acquisition Regulation (FAR) clause\n           (FAR subsection 52.239-1) that allows an agency access to the CSP\'s facilities,\n           installations, documentation, records, and databases to carry out an inspection program\n           to safeguard against threats and hazards to the security, integrity, and confidentiality of\n           government data.\n\n\n\n\n3\n    Office of Management and Budget, December 8, 20 I I. Security Authorization   of Information Systems in Cloud\nComputing Environments. Washington, DC: OMB. \n\n4These are the Department of Commerce\'s uniform acquisition policies and procedures, which implement and \n\nsupplement the Federal Acquisition Regulation (FAR). \n\n\n\n\n\n                                                           2\n\x0c    II.      The Department\'s Cloud Services Are Not FedRAMP-Compliant\n\n      OMB required that all cloud services currently implemented comply with FedRAMP security\n      authorization requirements by June 5, 2014. However, we found that only two of the cloud\n      services associated with the contracts we reviewed 5 met the FedRAMP deadline-they each\n      have a FedRAMP provisional authorization to operate. 6\n\n      Nevertheless, all cloud services associated with the contracts we reviewed have been\n      granted authorization to operate by the respective bureaus. 7 As a result, bureau authorizing\n      officials should be aware of risks associated with employing the cloud services that do not\n      meet FedRAMP requirements. 8\n\nRecommendations\n\nWe recommend that the Department\'s Chief Financial Officer and Assistant Secretary for\nAdministration\n\n          I. \t Ensure that all existing and future Commerce bureau cloud service contracts\n               appropriately include clauses from CAR 1352.239-72 and FAR subsections 52.239-1.\n\nWe also recommend that the Department\'s Chief Information Officer\n\n      2. \t Ensure that Commerce bureaus employing cloud services that do not meet FedRAMP\n           requirements conduct effective continuous monitoring of the services\' security controls\n           in order to minimize potential risks.\n\nWe have summarized your formal response in this memorandum and included a copy as\nappendix C. The final memorandum will appear on the OIG website pursuant to section SM of\nthe Inspector General Act of 1978, as amended.\n\nIn accordance with Department Administrative Order 213-5, please provide us with your\naction plan within 60 days of the date of this memorandum. We appreciate the cooperation and\ncourtesies extended to us by your staff and bureau staff during our audit. If you have any\nquestions or concerns about this memorandum, please contact me at (202) 482-1855 or Dr.\nPing Sun, Director for IT Security, at (202) 482-6121.\n\n\n5\n The cloud service provided to the Census Bureau by Akamai, and one of two cloud services provided to NIST by\nMicrosoft, comply with FedRAMP authorization requirements.\n6\n  A FedRAMP provisional authorization to operate is an initial approval of the CSP\'s authorization package by the\nJoint Authorization Board UAB) that an executive department or agency can leverage to grant a security\nauthorization to operate for the acquisition and use of the cloud service within their agency. The FedRAMP JAB\nconsists of the chief information officers from the Departments of Defense and Homeland Security, as well as the\nU.S. General Services Administration, supported by designated technical representatives from their respective \n\nmember organizations. \n\n7\n  We did not evaluate any of the bureaus\' security authorization packages as part of our audit. \n\n8\n  OMS has not issued guidance to federal agencies for dealing with CSPs whose cloud services did not meet the \n\nJune 2014 deadline. \n\n\n\n\n\n                                                        3\n\x0ccc: \t   Brian McGrath, Chief Information Officer, Census Bureau\n        Joanne Buenzli Crane, Chief Financial Officer, Census Bureau\n        Delwin Brockett, Chief Information Officer, NIST\n        George E. Jenkins, Chief Financial Officer, NIST\n        Zachary Goldstein, Acting Chief Information Officer, NOAA\n        Chris Cartwright, Acting Chief Financial Officer, NOAA\n        Susan Schultz Searcy, Audit Liaison, Office of the Chief Information Officer\n\n\n\n\n                                                4\n\n\x0cSummary of Agency Response and OIG Comments\n\nIn response to our draft memorandum, the Department concurred with the overall findings and\nrecommendations. Further, the Department plans to develop a corrective action plan to\nadequately address the risks identified within the draft memorandum.\n\nThe Department\'s response is provided in appendix C.\n\n\n\n\n                                            5\n\x0cAppendix A: Objectives, Scope, and Methodology\n\nOur audit objectives were to evaluate the Department\'s efforts to adopt cloud computing\ntechnologies and to review executed contracts between the Department\'s bureaus and CSPs\nfor compliance with applicable standards.\n\nOur audit is based on participation in CIGIE\'s November 2013 government-wide review to\nevaluate federal agencies\' efforts to adopt cloud computing technologies. In support of the\nCIGIE effort, we surveyed bureaus to identify cloud service contracts in place throughout the\nDepartment. We provided summary results of the survey to CIGIE and used survey results to\nestablish an audit universe of 35 cloud service contracts across 6 bureaus.\n\nBased on our knowledge of and experience with Departmental bureaus, we selected a\nnonstatistical sample of six cloud service contracts from three bureaus-the Census Bureau,\nNIST, and NOAA-for review. Our selection consisted of contracts with the Census Bureau\'s\nCSPs Akamai and GovDelivery, NIST\'s CSPs Microsoft and ServiceNow, and NOAA\'s CSPs\nGoogle, Inc. and Fiberlink.\n\nCIGIE provided matrices (as Microsoft Excel spreadsheet workbooks) for OIGs to use for\nevaluating the contracts and providing audit results to CIGIE. We fulfilled specific CIGIE\nrequests as follows:\n   \xe2\x80\xa2 \t We obtained copies of selected contracts and supporting information and did follow-up\n       with the bureaus to ensure we had the information needed to answer the questions in\n       the matrices.\n   \xe2\x80\xa2 \t Next, we used the information provided by the bureaus to complete the matrix for each\n       contract.\n   \xe2\x80\xa2 \t Then we sent the matrices to the bureaus on May 13, 2014, and received their \n\n       comments within 3 weeks. \n\n   \xe2\x80\xa2 \t After reviewing bureaus\' comments, we made appropriate changes to the matrices and\n       sent them to CIGIE, the Department\'s Chief Information Officer (CIO), and the CIOs of\n       the Census Bureau, NIST, and NOAA on June 16, 2014.\n\nCIGIE will use the results matrices provided by participating OIGs to prepare a consolidated\nreport on the state of cloud service contracts across all agencies represented. We used the\nresults that we provided to CIGIE as the basis for this audit report.\n\nWe conducted our field work from December 2013 to May 2014 at the Department\'s offices in\nthe Washington, DC, metropolitan area. We performed this audit under the authority of the\nInspector General Act of 1978, as amended, and Department Organization Order I0-13, dated\nApril 26, 2013, and in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions.\n\n\n\n\n                                               6\n\x0c    Appendix B: Departmental Cloud Service Contract Details\n\n\n         Table B-1. Contract Value and Duration by Bureau and Cloud Service Provider\n                                               Census         Census\n                                                                                  NIST             NIST               NOAA                  NOAA\n                                               Bureau         Bureau\n                                                                                   CSP             CSP                 CSP                   CSP\n                                                CSP            CSP\n                                                                                 Microsoft      ServiceNow           Fiberlinl<           Google, Inc.\n                                               Al<amai      GovDelivery\n\n\n              Total contract value\n                                                 2.448             2.44             9.0                 1.35              7.095                4.734\n              (millions of dollars)\n\n              Contract duration (years)              4              4               5                    3                 2                    3\n\n\n            Source: OIG\n\n\n\n               Table B-2. Contract Deficiencies by Bureau and Cloud Service Provide.-a\n                                                         Census           Census\n                                                                                             NIST               NIST               NOAA               NOAA\n                                                         Bureau           Bureau\n    CIGIE Matrix Question                                                                     CSP               CSP                 CSP                CSP\n                                                          CSP              CSP\n                                                                                            Microsoft        ServiceNow           Fiberlinl<        Google, Inc.\n                                                         Al<amai        GovDelivery\n\n\n    Does the Cloud contract, SLA, or TOS\n    include language allowing the Office of\n    Inspector General full and free access to\n    the Contractor\'s (and subcontractor\'s)\n    facilities, installations, operations,                 No              Yes                Yes               No                   No                  No\n    documentation, databases, and personnel\n    used in performance of the contract in\n    order to conduct audits, inspections,\n    investigations, or other reviews!b\n\n    Does the Cloud contract, Service Level\n    Agreement (SLA), or Terms of Service\n    (TOS) agreement, contain FAR clause\n    52.239-1, allowing the Agency access to               Yes              Yes          l     Yes               No                  Yes                 Yes\n    the CSP\'s facilities, installations, technical\n    capabilities, operations, documentation,\n    records, and databases!\nI\n    Source: CIGIE and OIG\n    \xe2\x80\xa2 A "No" response indicates a deficiency.\n    b CAR I 352.239-72(h) contains this language.\n\n\n\n\n                                                                                  7\n\n\x0cAppendix C: Agency Response\n\n\n                                                                                         UNITED STATES DEPARTMENT OF COMMERCE\n                                                                                         Office of the Secretary\n                                                                                         Washington, D.C. 20230\n\n\n\n\n       MEMORANDUM FOR: \t Allen Crawley\n                         Assistant Inspector General for Systems Acquisition\n                                                 and IT Security                            //_     hf-\xc2\xb7           \xc2\xb7SEP 3 O_.ZOJ.t\n       FROM:                                   Ellen Herbst\n                                               Chief Financial Officer\n                                                                             f/ft1 /lfJtli(JI\n                                                 and Assistant Secretary for Administration\n\n                                              Steven I. Cooper                                  />\'!~\n                                              Chief Information Officer                         ~\n       SUBJECT: \t                             Agency Response to OIG\'s Draft Memorandum Cloud Computing\n                                              Efforts Identified Contractual Deficiencies\n\n       This memorandum responds to the draft memorandum from the Office of the Inspector General\n       titled, Cloud Computing Efforts Identified Contractual Deficiencies. The draft memorandum\n       identifies deficiencies in contracts for cloud services and notes that several cloud services\n       provided to the Department did notcomply with Federal Risk and Authorizations Management\n       Program (FedRAMP) security requirements. The Department concurs with the overall findings\n       and recommendations outlined within the draft memorandum.                          \xc2\xb7\n\n       Further, the Department will develop and submit a corrective action plan to adequately address\n       the risks identified within the OIG\'s draft memorandum.\n\n\n       cc: \t                Brian McGrath, Chief Information Officer, Census Bureau\n                            Joanne Buenzil Crane, Qbief fin.~cial Officer, Census Bureau\n                            Delwin Brockett, Chieflnformation Officer, NIST\n                            9~rge E. Jenkins, ~~(F~cial. O.flicer, NIST          .. .\n                            Zachary Goldstein, Acting P:iiefI~fopnati1;m9fficer, NOAA\n                            Chris Cartwright, Acting ChiefFinancial Officer, NOAA\n                     .\xe2\x80\xa2 r:. \xc2\xb7 \t                   \xe2\x80\xa2.   ~ . \xc2\xb7.\xc2\xb7,.   ..~ .    . .. .. \xc2\xb7 ; .... .; \xc2\xb7\xe2\x80\xa2 \' . . ::\n         ,,\'\xe2\x80\xa2 1,: .\n\n       \xe2\x80\xa2., : , \xe2\x80\xa2 \xe2\x80\xa2      I\n\n\n\n\n                                                                           011200000176\n\n\n\n\n                                                                                    8\n\n\x0c'